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Abstract 

We  present  a  general  algorithm  for  detecting  whether  a  property  holds  in  a  distributed 
system,  where  the  property  is  a  member  of  a  class  we  call  the  locally  stable  properties.  Our 
algorithm  is  based  on  a  decentralized  method  of  constructing  a  maximal  subset  of  the  local 
states  that  are  mutually  consistent,  which  in  turn  is  based  on  a  weakened  version  of  vector  time 
stamps.  We  demonstrate  the  utility  of  our  algorithm  by  using  it  to  derive  some  specialized 
property-detection  protocols,  including  two  previously-known  protocols  that  ate  known  to  be 
efficient. 

[CL85)  gives  a  simple  algorithm  that  can  be  used  to  determine  whether  or  not  the  global  state 
of  an  asynchronous  distributed  system  satisfies  a  given  stable  property.  This  algorithm  is  very 
general  and  can  be  used  to  detect  any  stable  property  of  an  eisynchronous  system.  However,  it  is 
centralized  and  for  most  stable  properties  of  interest,  it  is  inefficient  in  the  number  of  messages 
used. 

In  this  paper,  we  present  an  algorithm  that  can  be  used  to  detect  stable  properties.  This 
algorithm  is  general  in  that  it  can  detect  a  wide  class  of  stable  properties  (although  not  as  wide 
as  [CL85]),  yet  it  is  decentralized  and  can  be  optimized  for  different  properties.  We  demonstrate  its 
utility  by  using  it  to  derive  some  specialized  property-detection  protocols,  including  two  previously- 
known  protocols  that  are  known  to  be  efficient. 

1  Definitions 

We  consider  an  asynchronous  distributed  system  consisting  of  a  set  of  n  nonfaulty  processes  P  = 
{piiPZi  •  •  •  iPn}-  Between  any  two  processes  pi  and  pj  there  exist  two  unidirectional  fault-free  FIFO 

'This  work  wts  supported  by  the  Defense  Advinced  Research  Projects  Agency  (DoO)  under  NASA  Ames  grant 
number  NAG  2-593,  Contract  N00140-f>7-C-8904,  and  by  grants  from  IBM  and  Siemens.  The  views,  opinions,  and 
findings  contained  in  this  report  are  those  of  the  authors  and  should  not  be  construed  as  an  official  Department  of 
Defense  position,  policy,  or  decision. 
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channels:  C,,j  from  p,  to  pj  and  Cj,,  from  Pj  to  p,,  and  these  channels  have  unbounded  delivery 
time.  Processes  communicate  only  by  sending  and  receiving  messages  over  these  channels. 

A  global  state  ^  is  a  consistent  set  of  process  states  and  channel  states,  defined  more 
precisely  in  Equation  2,  below.  A  property  is  a  predicate  expressed  over  the  global  state  of  the 
system.  A  stable  property  is  an  invariant;  once  it  becomes  true,  it  continues  to  be  true.  The 
most  common  examples  of  stable  properties  of  distributed  systems  are  deadlock  of  a  subset  of  the 
processes,  termination  of  a  distributed  computation,  and  the  lack  of  a  token  among  the  processes. 
There  are.  of  course,  other  stable  properties  of  interest.  For  example,  in  a  token  passing  system 
that  can  lose  but  not  regenerate  tokens,  the  predicate  “there  are  no  more  than  k  tokens  in  the 
system"  is  a  stable  property. 

Processes  execute  events,  which  can  be  send  events,  receive  events,  or  loccd  events.  We  say  that 
an  event  is  relevant  to  a  property  $  if  the  execution  of  the  event  can  potentially  affect  $.  More 
precisely,  if  $  is  a  boolean  formula  on  the  global  state  of  the  system,  and  if  event  e,  of  p,  changes  a 
part  of  the  state  that  is  referenced  in  $,  then  is  a  relevant  event.  For  example,  if  #  =  "a  subset 
of  the  processes  are  deadlocked”  then  the  relevant  events  include  those  that  request  a  resource 
and  those  that  grant  a  resource,  since  both  of  these  kinds  of  events  affect  whether  the  system  is 
deadlocked.  Note  that  these  events  could  be  local  events,  send  events,  or  receive  events,  depending 
on  exactly  how  i  is  defined.  Unless  stated  otherwise,  is  an  event  of  process  p,.  Each  event  p. 
results  in  the  local  state  a,  of  p,,  and  each  local  state  (7i  has  a  corresponding  event  e,  that  resulted 
in  that  state. 

We  will  only  be  interested  in  detecting  a  subset  of  the  stable  properties,  which  we  call  the  locally 
stable  properties.  Informally,  a  property  #  is  locally  stable  if  no  process  involved  in  the  property 
will  change  its  state  relative  to  i  once  i  holds.  For  example,  suppose  $  =  “processes  p,  and  pj 
are  deadlocked.”  $  is  locally  stable,  because  once  $  becomes  true,  neither  p,  nor  P;  can  execute 
an  event  that  could  affect  in  particular,  requesting  or  granting  a  resource. 

More  formally,  let  G  be  the  set  of  all  global  states  that  the  system  can  attain.  Let  E*  be  the 
portion  of  E  that  is  referenced  in  let  A  be  a  set  of  processes,  and  let  S|A  denote  the  subset  of 
E  that  consists  of  the  states  of  the  processes  in  .4  and  the  channels  between  processes  in  .4.  Since 
i  is  stable,  if  E  satisfies  ♦  then  all  states  that  are  reachable  from  S  also  satisfy  §.^  We  will  call  $ 
locally  stable  if  it  satisfies  the  following  condition;  consider  any  E  €  (7  that  satisfies  i,  and  let  .4 
be  the  set  of  processes  that  execute  no  relevant  events  in  any  state  that  is  reachable  from  E.  Then 
i  can  be  determined  by  only  considering  the  values  in  E#|A.  Note  that  A  must  be  nonempty  for 
properties  that  reference  the  state  of  the  system;  if  A  is  empty,  then  ♦  can  be  determined  without 
knowledge  of  the  state  of  any  process  or  channel  and  must  therefore  be  constant.  For  this  reason, 
we  will  assume  in  this  paper  that  A  is  nonempty. 

‘  E'  is  reachable  from  E  if  there  is  a  valid  execution  that  takes  E  to  E'. 
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The  most  commonly-studied  stable  properties — deadlock,  termination  and  no  token — are  all 
locally  stable.  For  example,  if  E  is  a  deadlock  state,  then  ,4  includes  the  deadlocked  processes,  and 
so  the  presence  of  deadlock  can  be  determined  by  considering  the  states  of  the  processes  in  .4.  The 
property  "there  are  no  more  than  k  :  k  >  0  tokens  in  the  system”  in  a  system  where  a  token  can 
be  lost  when  passed  is  not  a  locally  stable  property.  This  is  because  if  E  is  a  state  containing  k 
tokens,  then  every  process  can  execute  a  relevant  event  (namely,  it  can  pass  a  token),  and  so  .4  is 
empty.  The  condition  cannot  be  detected  from  the  values  in  E<»|.4,  since  there  are  no  values  in  this 
set. 

Our  protocol  will  be  based  on  a  weak  version  of  vector  clocks  [Mat89].  The  usual  definition  of 
a  vector  clock  V'le,  )  is: 

•  V'(e,)(i]  is  the  number  of  events  that  p,  has  executed  through  e,,  and 

•  ^  t  is  the  number  of  events  that  p,  knew  that  pj  had  executed  when  p,  e.xecuted 

e,. 

This  definition  gives  us  the  following  two  relations  between  vector  clocks  and  cuts,  where  -♦  is  the 
happens-be/ore  relation  defined  in  [Lam78).  Equation  1  defines  the  happens- before  relation  in  terms 
of  vector  clocks,  and  Equation  2  defines  when  a  set  of  local  states  comprise  a  globed  state; 

Vi,j  ;  i  jfc  ;  :  F(e<)(»]  <  V(e,)[i]  =  e,  -♦  e,  i  1) 

Vt,  j  :  >  V{ej)[i\  =  (<7t . a„)  £  Q  (2) 

We  weaken  this  definition  to  weak  vector  clocks  in  which  the  index  V''(e,  )[i]  counts  only  the 

number  of  relevont  events  that  p,  has  executed  through  e,.  With  weak  vector  clocks,  several  events 
of  Pi  may  have  the  same  value  of  V(ei)[i],  but  all  such  states  result  in  the  same  local  state  with 
respect  to  Let  E{€i)  be  the  events  of  pi  that  are  equivalent  to  in  that  they  have  the  same 
weak  vector  clock  V{e,).  Similarly,  let  5(E)  be  the  set  of  (not  necessarily  consistent)  cuts  that  are 
equivalent  to  E;  that  is,  if  E'  =  . .  ..aj,},  then  E'  €  5(E)  =  Voj  e  E  :  e ■  G  i^(e,). 

The  following  weakened  versions  of  Equations  1  and  2  hold  for  both  vector  clocks  and  weak 
vector  clocks: 

Vj,j  :  I  ^  j  :  V^(ei)(i]  <  V(ej)[i]  = 

^e\,e'j  :  ej  €  £(e»)  A  e*  G  ^(*>)  A  cj  — ►  e'j  (3) 

Vi,i  :  K(€.)(t]  >  V( <,)(»•]  2  3E  G  i? :  S  6  S((<Ti . <t„))  (4) 

The  difference  between  vector  clocks  and  weak  vector  clocks  is  illustrated  in  Figure  1.  VVe 
assume  that  the  predicate  of  interest  references  z  and  y,  but  not  u  nor  any  of  the  channel  states. 
The  upper  execution  shows  normal  vector  clock  values  and  the  lower  execution  shows  the  weak 
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vector  clock  values.  Note  that  although  the  events  j  :=  1  and  y  :=  3  do  not  form  a  consistent 
cut,  their  timestamps  in  (b)  satisfy  Equation  4  since  there  does  exist  a  consistent  cut  in  which 
(x  =  1.  y  =  3). 


X  :=  1  u  :=  1  X  :=  2 


X  ;=  1  u  :=  1  X  :=  2 


(b) 

Figure  1:  Execution:  (a)  with  vector  clocks,  (b)  with  weak  vector  clocks. 


2  Protocol 

We  first  assume  that  a  process  po  wishes  to  determine  when  the  global  state  of  the  processes 
P  =  {Pi)  ■  •  •  .Pn}  satisfies  a  locally  stable  property  In  Section  2.1,  we  will  change  this  protocol 
so  that  any  number  of  processes  in  P  may  concurrently  assume  the  role  of  po-  For  simplicity,  the 
state  of  the  channel  Cj.j  from  pi  to  Pj  will  be  represented  by  two  (unbounded)  queues:  send,[j], 
which  is  the  sequence  of  messages  p,  has  sent  to  pj  and  is  maintained  by  p,,  and  rect;j[t],  which  is 
the  sequence  of  messages  pj  has  received  from  p,  and  is  maintained  by  pj.  Whenever  we  apply  this 
algorithm,  we  will  need  to  show  that  the  length  of  these  queues  is  in  fact  bounded  by  a  small  value. 
Whenever  a  process  p,  executes  a  relevant  event  e^,  p,  records  in  a  buffer  B,  its  state  relative  to 
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$  and  the  vector  time  stamp  ^(e, ).  Thus,  having  executed  e,,  the  value  of  B,  will  be  {a,,  V'(e, )). 
We  will  abbreviate  these  two  components  of  Bi  !ls  B,.(t  and  B,.V.  Then,  po  periodically  collects 
the  values  of  the  buffers  in  any  order.  Once  po  has  received  these  values,  po  determines  if  there 

exists  a  maximal  consistent  subcut  among  {fli, _ Bn)  that  satisfies  By  consistent  subcut,  we 

mean  a  set  of  states  whose  timestamps  satisfy  Equation  4;  hence,  the  state  of  a  single  process  is 
trivially  a  consistent  subcut.  If  po  can  find  such  a  subcut  that  satisfies  then  $  must  currently 
hold.^ 

Unfortunately,  the  number  of  maximal  subcuts  of  a  set  of  n  weak  vector  clocks  is  0(2").  For¬ 
tunately,  it  is  not  necessary  for  po  to  examine  ail  of  these  subcuts.  Suppose  the  set  of  buffer  values 
contcuns  B,  and  Bj  that  are  inconsistent:  B,.V[i\  <  These  two  states  violate  Equation  4. 

and  so  cannot  be  part  of  the  same  consistent  subcut.  However.  Bj  records  the  fact  that  p,  has 
e.xecuted  a  relevant  event  since  B,  wjis  recorded.  Since  #  is  locally  stable,  the  event  that  gener¬ 
ated  B,  cannot  have  been  involved  in  establishing  and  so  po  need  not  consider  any  consistent 
subcut  containing  B,.  Given  the  partial  order  Bi  >■  5^“=^  B,.V[j]  >  B}.V[j],  po  need  only  find  the 
greatest  elements  of  >.  which  can  be  done  in  time.  We  call  this  subset  the  latest  subcut.  By- 

Equation  4  the  latest  subcut  is  clearly  a  maximal  subcut,  and  all  events  not  in  the  latest  subcut 
have  e.xecuicd  relevant  events  since  recording  their  state  and  so  their  values  can  be  ignored. 

The  soundness  of  this  protocol  is  straightforward.  We  now  argue  that  the  protocol  is  complete 
as  well;  that  is,  if  i  holds,  then  our  protocol  will  detect  §.  Let  E  be  the  first  global  state  in  which 
$  holds.  Since  $  is  locally  stable,  there  is  a  nonempty  set  of  processes  A  none  of  which  execute 
a  relevant  event  after  E;  these  processes  will  not  change  their  states  relative  to  #  or  update  their 
vector  clocks  after  S.  If  po  initiates  the  protocol  after  E  (i.e.,  when  $  holds),  then  po  will  collect 
the  states  E#|i4.  From  the  definition  of  >-,  the  state  of  a  process  p,  in  A  must  be  in  any  latest 
subcut  constructed  by  po  because  pi  will  execute  no  relevant  event.  Hence,  po  will  detect  $. 

2.1  Optimization 

In  the  above  protocol,  po’s  role  is  to  collect  the  states,  determine  the  latest  subcut  and  check  if  $ 
holds  in  this  subcut.  We  can  decentralize  these  steps  by  collecting  the  states  in  a  token. 

Consider  a  token  K  that  consists  of  n  entries  {D\,. . . ,  Dn)  where  each  entry  Di  =  (  B|.V'[i]  )■. 

that  is,  Di  will  hold  the  state  of  pi  relevant  to  4^  and  the  local  component  of  p/s  vector  clock  when 
it  generated  this  state.  Assume  that  there  exists  a  special  value  J.  for  Di  indicating  that  the  state 
has  not  yet  been  collected;  so,  all  of  the  Di  in  K  are  initially  set  to  ±. 

Whenever  pi  wants  to  know  whether  ♦  holds,  it  generates  an  empty  token  K,  inserts  its  state 

’The  initiktor  could  examine  all  consistent  subcuts,  but  if  4'  C  4  and  Esl^'  supports  ♦,  then  Es|4  will  also 
support  ♦,  so  we  need  only  examine  the  maximal  subcuts.  Of  course,  ♦  may  be  of  the  form  Vp*  :  ♦(pi),  in  which 
case  only  a  full  consistent  cut  will  satisfy  4. 
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into  £),,  and  passes  the  token  to  any  other  process.  When  a  process  pj  receives  a  token  K.  it  takes 
the  following  steps: 

•  pj  sets  Dj  to 

•  Pj  casts  out  any  values  D,  that  are  not  part  of  the  latest  subcut.  Note  that  by  definition.  Bj 
must  be  part  of  the  latest  subcut,  so  only  the  earlier  values  Di  need  be  tested  with  respect 
to  Bj.  From  above,  the  value  B,  can  be  discarded  if  B,.V[i\  <  ByV[i\.  The  value  5,.r[ij  is 
stored  in  Di,  so  A’  carries  enough  information  for  pj  to  make  this  test.  If  D,  is  not  in  the 
latest  subcut,  then  Pj  sets  D,  to  1. 

•  Pj  determines  whether  the  values  satisfy  #.  If  so,  then  the  detection  is  made:  otherwise. 
Pj  forwards  the  token  to  a  process  pk,  chosen  fairly,  with  Dk  =  -L.  If  there  is  no  such  process, 
then  pj  can  drop  the  token. 

Note  that  we  have  no  a  priori  restriction  on  how  many  tokens  there  can  be  in  the  system  at 
any  time  or  on  how  the  token  is  passed,  other  than  it  is  passed  in  a  fair  manner.  These  decisions 
can  be  made  when  the  algorithm  is  applied  to  a  particular  problem. 

3  Termination  Detection 

We  can  now  instantiate  the  general  protocol  given  above  to  obtain  a  protocol  that  detects  termi¬ 
nation  in  a  distributed  system.  There  are  many  variations  of  this  property.  The  earliest  that  we 
know  of  is  due  to  Dijkstra,  in  [DijSO),  The  following  definition  is  the  same  as  that  given  in  [MisS3]. 

All  processes  are  either  active  or  idle.  Only  active  processes  can  send  messages.  An  active 
process  may  become  idle  at  any  time;  an  idle  process  may  become  active  upon  receipt  of  a  message. 
The  system  is  terminated  when  all  processes  in  the  system  are  idle  and  there  are  no  messages  in 
transit. 

The  events  that  are  relevant  to  termination  are  sending  a  message,  receiving  a  message,  becom¬ 
ing  idle,  and  becoming  active.  Therefore,  each  process  will  update  its  (weak)  vector  clock  upon 
executing  any  of  these  events.  The  state  of  a  process  relative  to  termination  consists  of  whether 
the  process  is  active  or  idle  and  whether  there  is  a  message  on  an  incoming  channel.  Note  that 
for  this  problem,  we  do  not  need  to  keep  track  of  the  contents  of  the  messages  exchanged  between 
processes;  only  the  number  of  messages  is  important.  To  capture  the  channel  states,  we  have  each 
process  keep  track  of  how  many  messages  it  has  sent  and  received  on  each  adjacent  channel.  The 
combined  information  of  all  of  the  processes  will  then  yield  the  number  of  messages  in  transit  on 
each  channel:  if  pi  has  sent  more  messages  to  pj  than  pj  has  received  from  pi,  then  there  is  at  least 
one  message  on  channel  C,  j. 

We  instantiate  the  general  protocol  given  in  Section  2.1  as  follows: 
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Each  process  pi  maintains  the  following  local  state  variables: 

•  active,-.  Boolean  =  true  if  and  only  if  p,  is  active. 

•  sen(i,[l..nl;  Integer  array.  sen<^[j]  =  the  number  of  messages  that  p,  has  sent  to  pj  (initially 
0). 

•  recn[l..n]:  Integer  array.  recv,[j\  =  the  number  of  messages  that  p,  has  received  from  pj 
(initially  0). 

When  p,  sends  a  message  to  pj,  sendi[j\  is  incremented.  When  pi  receives  a  message  from  pj. 
recui[j]  is  incremented.  When  p;  becomes  active  or  idle,  activci  is  set  appropriately. 

At  some  point,  an  idle  process  pu  will  start  the  detection  algorithm  by  circulating  a  token  as 
described  in  Section  2.1.  The  termination  condition  can  only  be  evaluated  over  a  total  global  state, 
so  a  positive  determination  can  only  be  made  by  the  process  p/  that  is  the  last  to  add  its  state  to 
the  token. 

Process  py  detects  termination  if  and  only  if  the  following  three  conditions  hold: 

1.  The  timestamps  in  the  token  form  a  consistent  cut  over  all  processes; 

2.  All  processes  are  idle:  Vi  :  activei  =  false; 

3.  There  are  no  messages  in  transit:  Vi,  j  ;  sendi[j]  =  recvj[i]. 

We  claim  that  item  1  is  redundant:  item  3  implies  that  the  cut  is  consistent.  Suppose  by  way  of 
contradiction  that  when  all  of  the  states  and  timestamps  have  been  collected,  item  3  holds  but  the 
timestamps  form  an  inconsistent  cut.  That  the  cut  is  inconsistent  implies  from  Equation  4  that  for 
some  i.j,  5,.V[i]  <  B].V[i].  ByV[i]  is  advanced  only  when  pj  receives  a  message  and  events  local 
to  pj  only  affect  Bj.V[j].  Therefore,  there  must  have  been  a  chain  of  messages  between  p,  and  pj 
between  the  time  that  B,  was  collected  and  the  time  that  Bj  was  collected.  This  implies  that  there 
is  some  k  such  that  sen<i[l:]  <  recT<k[j].  This  contradicts  the  assumption  that  item  3  holds. 

Therefore,  pf  need  only  check  the  last  two  items.  In  fact,  these  checks  can  be  done  incrementally. 
For  example,  we  can  assign  a  total  order  to  the  processes  and  have  the  token  passed  along  that 
total  order.  When  process  pk  receives  the  token,  it  tests  to  see  if 

~<activek  A  (V/  :  I  <  t  <  k  :  (sen<4[/]  =  rect|[fc])  A  (scndtf^l  = 

If  this  condition  does  not  hold,  then  pk  can  drop  the  token.  If  the  condition  holds  and  k  =  n. 
then  termination  is  detected;  otherwise,  p*  fills  in  Dk  and  passes  the  token  to  Pk+i- 

This  yields  the  protocol  given  in  [Mat87]  as  the  channel  counting  protocol,  which  only  requires 
n  messages  to  detect  termination  once  it  holds,  and  which  can  be  further  refined  into  a  protocol 
that  is  space-efficient. 
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4  Deadlock  Detection 


We  now  instantiate  the  general  protocol  given  in  Section  2  to  obtain  a  protocol  that  detects  k-out- 
of-m  deadlock  in  a  distributed  system.  This  problem  was  first  formulated  and  solved  in  [BTS4].  In 
this  formulation,  a  process  can  request  fc  resources  from  a  pool  of  m  resources. 

.A.  process  is  either  active  or  blocked.  An  active  process  is  one  that  is  not  waiting  for  any  other 
process.  Active  processes  may  issue  fc-out-of-m  requests  in  the  following  way.  When  an  active 
process  p,  requires  k  processes  to  carry  out  some  request,  it  sends  request  messages  to  each  of  the 
m  processes  that  can  perform  this  action.  Process  p,  then  becomes  blocked,  and  waits  until  the 
action  requested  is  carried  out  by  at  least  k  of  the  m  processes.  A  process  can  not  send  any  further 
requests  while  blocked. 

Only  active  processes  can  carry  out  a  requested  action.  If  a  process  pj  receives  a  request 
while  active,  it  will  either  become  blocked  or  carry  out  p,'s  requested  action  within  finite  time. 
In  the  latter  case,  pj  will  send  a  grant  message  to  p,.  When  p,  receives  k  grant  messages,  it 
becomes  active  again.  It  then  relinquishes  the  requests  made  to  the  rest  of  the  processes  to  which 
it  sent  request  messages  by  sending  them  relinquish  messages.  We  assume  that  a  grant  message 
identifies  its  corresponding  request  message  (for  example,  by  using  a  sequence  number)  so  that  if 
p,  receives  more  than  k  grant  messages  for  a  given  request  message,  the  extra  grant  messages 
can  be  discarded. 

The  global  state  of  the  system  will  be  represented  as  follows.  Each  process  p,  maintains  the 
following  variables: 

•  k,\  Integer  =  the  number  of  grant  messages  required  for  p,  to  become  active  (initially  0). 

•  r.sen<4[l..ti]:  Integer  array.  r.sen<4[j]  is  the  number  of  request  messages  that  p,  has  sent  to 
Pj  (initially  0). 

•  r.recn[l..n];  Integer  array.  r.Tecvi[j\  is  the  number  of  request  messages  that  p,  hcis  received 
from  pj  (initially  0). 

•  p-3en<4[l..n]:  Integer  array.  g.send,\j\  is  the  number  of  grant  messages  that  p,  has  sent  to 
Pj  (initially  0). 

•  p-re<Mt[l..n]:  Integer  array.  g.recvi[j]  is  the  number  of  grant  messages  that  p,  has  received 
from  Pj  (initially  0). 

We  also  define  the  following  two  state  functions: 

•  blki'.  Integer  set.  j  6  blki  if  pi  has  received  a  request  message  from  pj  and  p,  has  not  sent  a 
corresponding  grant  message  (i.e.,  p,  is  blocking  p^).  This  is  defined  as 

j  €  blk,^=  r.rec^[j)  >  g.sendt[j] 


8 


•  wf,:  Integer  set.  j  £  wf,  if  p,  has  sent  a  request  message  to  pj  and  p,  has  not  received  a 
corresponding  grant  message  (i.e..  p,  is  waiting  for  pj).  This  is  defined  as 

j  e  n;/,  r.send^fj]  >  g.recv,[j] 

The  system  wait-for  graph  is  constructed  as  follows: 

•  a  waits-for  edge  is  drawn  from  p,  to  pj  when  j  £  wf,  A  {i  £  blkj  V  (  r.senci.fj']  >  r.recuj[ij ) ): 

•  the  value  k,  is  defined  as  A:,  -  |Vj  :  g.sendj[i\  -  p.recn[_7']|. 

Deadlock  is  tested  by  reducing  tnis  graph:  if  an  edge  points  from  p,  to  Pj  and  pj  is  active,  then 
the  edge  can  be  erased  and  k,  can  be  reduced  by  one;  and  if  a  process  has  k,  =  0.  then  ail  of  its 
outgoing  edges  can  be  erased.  The  system  is  deadlocked  if  and  only  if  there  are  edges  that  cannot 
be  removed  by  following  these  two  rules. 

The  relevant  events  are  requesting  a  resource,  granting  a  resource,  receiving  a  grant,  and  re¬ 
ceiving  a  request.  Several  actions  may  be  associated  with  a  relevant  event;  for  example,  when  p, 
requests  1  out  of  2  resources  from  pj  and  pt,  the  following  steps  are  executed  atomically: 

1.  k,  is  set  to  1; 

2.  r.send,[j]  and  r.senci,[A:]  are  incremented: 

3.  fl,.V'[i]  is  incremented. 

The  request  messages  can  then  be  sent  to  pj  and  p^. 

As  described  in  Section  2.1,  a  process  can  start  circulating  a  token  at  amy  time.  For  deadlock,  a 
process  need  only  send  a  token  if  it  is  blocked  for  an  excessive  time,  and  a  logical  place  to  forward 
the  token  is  to  one  of  the  processes  upon  which  it  is  blocked. 

This  protocol  can  be  optimized  further.  For  example,  if  we  restrict  ourselves  to  RPC  deadlock 
( 1-out-of-l  requests),  then  =  1  and  need  not  be  represented  in  the  wait-for  graph,  and  the  wait- 
for  graph  is  reducible  if  and  only  if  it  does  not  contain  a  cycle.  Hence,  when  a  process  p,  receives 
a  token  K  it  can  test  for  a  cycle  in  the  wait-for  graph  simply  by  testing  to  see  if  its  state  is  still 
consistent  with  Di.  Furthermore,  if  a  blocked  process  delays  receiving  any  request  messages  while 
blocked,  then  it  is  easy  to  show  that  the  vector  clocks  are  not  necessary:  all  states  in  the  token  are 
consistent  at  any  time.  Recall  that  when  pj  receives  a  token  from  p,  where  t  £  blkj,  pj  adds  its 
state  and  forwards  the  token  to  the  process  in  wfj  if  wfj  is  nonempty  and  drops  the  token  if  wf^  is 
empty.  Suppose  by  way  of  contradiction  that  Di  and  Dj  are  two  entries  in  the  token  such  that  B, 
and  Bj  are  inconsistent:  Bi.V[i]  <  Bj.V[i].  Then  p,  must  have  sent  a  request  message  since  its 
state  was  added  to  the  token.  Furthermore,  Bj  must  have  been  added  to  the  token  after  5,,  which 
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implies  that  there  is  a  path  in  the  wait-for  graph  from  p,  to  pj.  But  this  means  that  p,  cannot 
become  active  until  pj  sends  a  grant  message  to  the  process  in  blkj,  contradicting  that  p,  sent  a 
request  message  since  its  state  was  added  to  the  token.  Therefore,  all  states  in  the  token  at  any 
time  are  consistent. 

-A.  similar  argument  can  be  made  to  show  that  this  protocol  will  detect  and-deadlock  ( m-out- 
of-m  requests),  but  the  argument  is  more  complex.  The  resulting  protocol  is  the  one  presented 
in  [CMH83]. 

5  Conclusion 

This  paper  presents  a  general  protocol  for  detecting  a  class  of  stable  properties  (the  locally  stable 
properties)  by  constructing  consistent  subcuts.  The  protocol  collects  the  consistent  subcuts  in  a 
decentralized  manner  and  is  message  efficient.  We  have  demonstrated  its  use  by  refining  it  to  a 
known  protocol  for  termination  detection,  a  new  protocol  for  A:-out-of-m  deadlock  detection,  and  a 
known  protocol  for  and-deadlock  detection.  It  is  interesting  to  note  that  the  two  known  protocols 
are.  in  fact,  implicitly  constructing  consistent  subcuts. 

The  class  of  locally  stable  properties  was  defined  in  proving  the  protocol  correct.  We  are 
interested  in  whether  the  protocol  can  be  extended  to  detect  a  wider  set  of  stable  properties.  ^Ve 
would  also  like  to  better  understand  the  notion  of  relevant  events  and  weak  vector  clocks.  We  have 
attempted  to  refine  our  protocol  to  several  known  protocols,  and  have  found  that  subtle  changes 
in  the  definition,  or  relevant  events  and  propagation  of  vector  time  stamps  can  greatly  ease  the 
process  of  refinement. 
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